Office 365 Security

Office 365 Security

​​Office 365 provides a huge number of security options and settings, although most organizations are barely scratching the surface when it comes to using what’s available. Most of the Office 365 licences have some core features that can mitigate a high percentage of security risks, although they need to be configured in order to work as intended. ​Achieving the right balance between enabling your staff to access information wherever and whenever they need, and keeping your data and systems secure, is at the core of what 365 Solutions Group do. Using cloud technologies means your data is always backed up and available, and Microsoft’s continued investment in security ensures it stays protected.

Randomware attacks are growing more than 3​50% annually

92% of malware is delivered by email

58% of malware attach victims are categorized as small business

5 Things Admins can do NOW to improve your Office 365 security

ENABLE AUDITINGAuditing is a feature in Office 365 that records all actions all users taken within the Office 365 suite to be recorded. It records the last 90 days of activity so that following a breach or suspicious or unusual activity, admins can go back to see who performed what action and when. The audit log is a comprehensive log of actions that can be searched by multiple category-specific tasks such as changing permissions or accessing, downloading or deleting files. There is a significant number of actions being indexed into the log, and the more users you, have the larger the audit log can become. It's not designed as a tool used for watching what staff are doing, but instead is an invaluable source of information when investigating who did what and when. You can enable auditing quickly and easily in your Office 365 Admin Center, and it will begin logging all actions from that point on. If you wait until there is an incident you need to report on before enabling auditing, it'll be too late.

SET UP ALERTSThe richness of the audit log can be called upon to identify specific actions as risks, so firstly you need to decide what constitutes risky or suspicious activity. For example, you can request an alert when an employee downloads more than 10 documents at once, since a bulk download might mean that they're stealing company information before resigning. Email alerts can be set on any action of any quantity within the audit log, and can be flagged as low, medium or high severity.

Setting up Alert Policies in the Office 365 Security and Compliance Admin Center is pivotal to making the most out of the audit log, as it enables you to act quickly if something unusual occurs. Which alerts are relevant for you depends on your industry and users' 'normal' behaviours. Adding alerts for external user activity might assist in knowing when partners are accessing SharePoint portals, and adding an alert for mass deletion of files or emails will give you the chance to review them in the recycle bin before the 30-day retention period ends, and restore items if necessary.

Once your auditing and alerts have been completed to protect your business against internal threats and notify you of a possible breach, you've developed internal sensors to flag any future threats that occur in your system, it's time to protect yourself from new potential breaches, as covered below.

According toPhishme in April 2019, phishing emails are responsible for about 91% of cyber attacks. Phishing refers to baiting someone to click a fake link that asks for their password, e.g. "Click here to get more OneDrive storage", which looks like a Microsoft OneDrive login, but captures the password to use maliciously.

Phishing attacks are getting smarter every day, and aside from training staff to know what to look for in spam emails, a company can ensure that EVEN IF a password is compromised, their users have a second level of protection that will prevent hackers and phishers from gaining access to their data. ​

ENABLE, CONFIGURE AND ENFORCE MULTI-FACTOR AUTHENTICATION (MFA)Multi-Factor Authentication requires multiple methods of authentication when accessing Office 365 from a new device or browser. This means that you will receive a text message or a code in an app that lets you prove that you are the person to whom those credentials belong. The service can be configured so that users don't get asked every time they check their emails, and common setups will ask users every 60 days to enter a second verification, as well as any time the user logs in from a new device or location. In this way, even if a hacker gets a users password, which is the caused of the vast majority of cyber-security breaches, it is highly unlikely they will also get their phone to receive messages too.

DISABLE IMAP AND POP​​Once you have MFA in place and you're protecting yourself from anyone getting your passwords, the next step is to disable IMAP and POP protocols on your users' mailboxes, because hackers can use it to get around the Multi-Factor Authentication.

The Internet Message Access Protocol (IMAP) and POP (Post Office Protocol) are 30-year-old internet standard protocols used by legacy email clients to retrieve email messages from a mail server over a TCP/IP connection. They differ slightly in that IMAP is a consistent live connection, whereas POP is a temporary 'download and store' process removing the emails form the original server. New Office 365 authentication does not rely on IMAP or POP. Normal password log-in authentication, and Multi-Factor Authentication that challenges users for additional confirmation, are both irrelevant when using IMAP and POP configurations. Although some older applications legitimately use IMAP or POP to connect to your emails, having them enabled in your tenant is becoming an increasingly common tool for breaching your otherwise-secure environment.

By default, IMAP and POP protocols are enabled in Office 365 due to the widespread long term reliance for legacy systems, however as reliance on their connectivity drops, and risks increase, 365 Solutions Group recommended that they are disabled for all mailboxes through the Office 365 Exchange Admin Center.

You've now added internal measures to continuously check your system for new threats, and configured barriers to decrease the chances of someone getting access. The next step you should complete is check for existing vulnerabilities you may not be aware of - on average it takes around 146 days from when a breach takes place to when it is detected, so you may have already suffered a hack without knowing it. ​

CHECK FOR FORWARDING RULES AND BLOCK ABILITY​​A common method of attack once a criminal gets access to your password, is to sit back and monitor your activity for a while. One of the first things they will often due is set up email forwarding on your account so that they get a copy of all your emails. They can then learn about your daily interactions, style of email composition, and the hierarchy of your business. This is so that they can launch an attack that is harder to identify when it happens.

For example, one of our clients discovered they had been breached when the Financial Controller received a seemingly normal email request from the CEO for a significant sum to be transferred to a known supplier who reported a change to bank details, and she mentioned this to the CEO in conversation. They soon realized that the CEO had never sent the email, and the bank details belonged to a criminal who had infiltrated their systems and had been watching their emails. This is very common and becoming more prevalent each day.

You can check your Exchange Admin Center for any forwarding rules set in the Exchange Admin Center and run mail trace reports to check for any forwarded emails. We also advise that you block client forwarding capability, which prevents users from setting email forwarding rules within Outlook, so that users (or malicious threats) can't set forwarding to external email addresses. This setting does not inhibit the ability of Exchange Admins to set legitimate forwards on mailboxes.

Once these 5 steps have been completed, you're already well ahead of most businesses with your IT security. If you'd like assistance configuring these steps, or would like to learn more about how Office 365 Security, you can contact 365 Solutions Group. We also advise engaging us for a complete Office 365 Security Audit, where we review your Office 365 Secure Score, and present customized, interpreted actions to increase your security score and protect your business form cyber threats.

We're pretty relaxed here at 365 Solutions Group, so shoot us a line, and we can chat about Office 365, your business and maybe organize a get together to solve some of your business problemsReach us through 1300 228 744